Graphics Programs Reference
In-Depth Information
(gdb) continue
Continuing.
Breakpoint 2, check_authentication (password=0xbffff9af 'A' <repeats 30 times>) at
auth_overflow.c:16
16 return auth_flag;
(gdb) x/s password_buffer
0xbffff7a0: 'A' <repeats 30 times>
(gdb) x/x &auth_flag
0xbffff7bc: 0x00004141
(gdb) x/16xw password_buffer
0xbffff7a0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff7b0: 0x41414141 0x41414141 0x41414141
0x00004141
0xbffff7c0: 0xb7ff47b0 0x08048510 0xbffff7d8 0x080484bb
0xbffff7d0: 0xbffff9af 0x08048510 0xbffff838 0xb7eafebc
(gdb) x/4cb &auth_flag
0xbffff7bc: 65 'A' 65 'A' 0 '\0' 0 '\0'
(gdb) x/dw &auth_flag
0xbffff7bc: 16705
(gdb)
Continuing to the next breakpoint found after the
strcpy()
, these memory
locations are examined again. The
password_buffer
overflowed into the
auth_flag
,
changing its first two bytes to
0x41
. The value of
0x00004141
might look backward
again, but remember that
x
86 has little-endian architecture, so it's supposed to
look that way. If you examine each of these four bytes individually, you can see
how the memory is actually laid out. Ultimately, the program will treat this
value as an integer, with a value of 16705.
(gdb) continue
Continuing.
-=-=-=-=-=-=-=-=-=-=-=-=-=-
Access Granted.
-=-=-=-=-=-=-=-=-=-=-=-=-=-
Program exited with code 034.
(
gdb)
After the overflow, the
check_authentication()
function will return 16705
instead of 0. Since the if statement considers any nonzero value to be authen-
ticated, the program's execution flow is controlled into the authenticated
section. In this example, the
auth_flag
variable is the execution control point,
since overwriting this value is the source of the control.
But this is a very contrived example that depends on memory layout of the
variables. In auth_overflow2.c, the variables are declared in reverse order.
(Changes to auth_overflow.c are shown in bold.)
